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Abstract. We address the model checking problem for shared memory concurrent programs mod- 
£N| ■ eled as multi-pushdown systems. We consider here boolean programs with a finite number of threads 

and recursive procedures. It is well-known that the model checking problem is undecidable for this 
class of programs. In this paper, we investigate the decidability and the complexity of this prob- 
lem under the assumption of bounded context-switching defined by Qadeer and Rehof [19], and of 
phase-boundedness proposed by La Torre et al. [24] . On the model checking of such systems against 
temporal logics and in particular branching time logics such as the modal p-calculus or CTL has 
{T") ■ received little attention. It is known that parity games, which are closely related to the modal 

/x-calculus, are decidable for the class of bounded-phase systems (and hence for bounded-context 
switching as well), but with non-elementary complexity [21]. A natural question is whether this 
high complexity is inevitable and what are the ways to get around it. This paper addresses these 
!___] | questions and unfortunately, and somewhat surprisingly, it shows that branching model checking 

■ for MPDSs is inherently an hard problem with no easy solution. We show that parity games on 

MPDS under phase-bounding restriction is non-elementary. Our main result shows that model 
checking a k context bounded MPDS against a simple fragment of CTL, consisting of formulas 
that whose temporal operators come from the set {EF,EX}, has a non-elementary lower bound. 
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fN| ' 1 Introduction 

G\ " 

The verification of multi-threaded programs is an important topic of research in recent years [5, 4, 13-16, 
19,25]. One may use pushdown systems to abstract sequential recursive programs and analyze them 
using the plethora of results available in literature. However, the presence of multiple-threads with their 
own call stacks means that modeling multi-threaded programs needs systems with multiple pushdowns. 
Unfortunately, verifying a finite state system equipped in addition with 2 pushdowns is undecidable as 
it is turing powerful. 

Qadeer and Rehof [19] proposed one way to get around this undecidability. They studied under- 
approximations of the set of behaviors of multi-pushdown systems. They proposed the bounded context- 
switching restriction, that imposes a bound k on the number of times of switches from using one pushdown 
to another. The control state reachability as well as the global model checking problem (computing, for 
a given regular set of configurations, the set of configurations from which the given set can be reached) 
turn out to be decidable. Subsequently, various other classes of under-approximations have been studied 
including bounded phase, ordered multi-pushdown and bounded scope [2, 1, 3, 7, 18, 22, 24, 26]. 

A phase is a sequence of computational steps that pops from a fixed stack but is allowed to push values 
into any stack. By imposing a bound k on the number of phases, we obtain an under-approximation that is 
more general than bounded context switch analysis. This restriction, called the bounded-phase restriction 
was proposed in [24], where its controls state reachability problem is also shown to be decidable. 

In [7, 3] a different restriction called ordered multi-pushdown is studied where there is linear order on 
the stack and any pop action is only permitted in the smallest nonempty stack. More recently, in [26], 
a restriction that demands that a value that is pushed be popped within a bounded number of context 
switches (or not at all) is studied. Most of these works examine the control state reachability problem 
and its generalization, the global reachability problem and obtain decidability results [2, 22]. 

On the model checking of such systems against temporal logics and in particular branching time 
logics such as the modal ^-calculus or CTL has received little attention. It is known that parity games, 
which are closely related to the modal ^-calculus, are decidable for the class of bounded-phase systems 
(and hence for bounded-context switching as well), but with non-elementary complexity [21]. A natural 



question is whether this high complexity is inevitable and what are the ways to get around it. This paper 
addresses these questions and unfortunately, and somewhat surprisingly, it seems that branching model 
checking for MPDSs is inherently an hard problem with no easy solution. Our main result shows that 
model checking a k context bounded MPDS against a simple fragment of CTL, consisting of formulas 
that whose temporal operators come from the set {EF,EX}, has a non-elementary lower bound. 

The complexity of parity games and CTL mo del- checking for pushdown systems has been well studied. 
Walukiewicz [28] shows that parity games are solvable in EXPTIME and that model checking of PDSs 
against even CTL formulas has a EXPTIME lower-bound [27]. As a matter of fact, our proof utilizes 
ideas from the latter work. 

A different generalization of pushdown systems is that of higher-order pushdown systems (HOPDAs). 
A level 1 pushdown is a normal pushdown and a level k pushdown has a pushdown of level k—1 pushdowns. 
A higher level push operation duplicates the top most stack while a pop operation removes such a stack. 
For a formal definition of these models and the operations on them the reader is referred to [29,10]. 
These are extremely powerful models and in [10] it is shown that their configuration graphs capture 
every graph that lies in the Caucal hierarchy. Cachat [8] also showed the decidability of parity games 
over HOPDAs. Cachat and Walukiewicz [9] show that parity games on HOPDAs has non-elementary 
complexity on the number of levels of higher order stacks and subsequently tight lower bounds have been 
shown for the model checking of HOPDAs w.r.t. various linear and branching time temporal logics [12]. 
A key ingredient in the lower bound proof of Cachat- Walukiewicz is the use of a certain kind of counters, 
introduced by L. Stockmeyer [23], and encoding of the configurations of a TM using these counters. We 
draw heavily on this idea in our lower bound proof for CTL. Unlike the HOPDAs, bounded context switch 
MPDSs do not posses the ability to duplicate the contents of a stack making our argument somewhat 
more elaborate. 

2 Preliminaries 

A multi-pushdown system (MPDS) is a generalization of the classical pushdown system with multiple 
stacks. As it is well known, two stacks suffice to simulate a tape and hence even a two stack MPDS is 
turing powerful. However, there are a number of restrictions that one may place the behaviors of MPDSs 
resulting in decidability of many interesting properties. 

Definition 1. A Multi Pushdown System MPDS A is a tuple (Q,r,l,S,qo) where Q is a finite set of 
states, I is an integer giving the number of stacks, r is the stack alphabet (not containing the special 
stack symbol !_), q n is the initial state and 8 = S e U S c U S r is the transition relation, where 

- 5 e C Q x Q 

- S c C Q x (r U {!_}) x Q x [I.. I] x r 
-S r CQxrxQx 

In each transition, the MPDS may carry out an internal (or skip) move (S e ), or examine the top 
symbol of one stack and based on its value a push one symbol that stack (S c ) or a pop one symbol from 
that stack (S r ). We shall write 5 z r , 1 < i < I, to denote the set of pop transitions where the pop is 
performed on stack i and similarly 5 l c will denote the set of push transitions on stack i. The configuration 
of such a MPDS is naturally given by the current state as well as the contents of the I stacks. 

Definition 2. A configuration of a MPDS A = (Q, _T, 1, 5, qo) is of the form q (71, • • • ,7;) where q E Q 
is a state and 7; G T* ■ {!.} is the content of the stack i G [l..n]. 

Next we define the one step move relation which describes how an MPDS may move from one 
configuration to another using one of the transitions in S. 

Definition 3. Let A = (Q, T,l,6,qo) be a MPDS. The one step move relation using the transition t e S 
is defined as follows: 

3 (71, •••,70 q'(i'i,--- 

if and only if one of the following conditions holds 



2 



1. t = (q, q') G S e and 7, = 7,'. 

2. t = (q, a, q',j, b) G 5 C and 7^ = b.fj, jj = a.-f and for i ^ j, 7; = 7^ 

3. t = (q, a, q', j) G S r and 7^ = 7^ and -fj = a.-fj and for i ^ j, 7^ = 7- 

Notation We write — > to denote Ute<5 to denote Ute<5 to denote U tG(5 A and — ^ r 

to denote \j teS — K We use the -» to denote the reflexive, transitive closure of — K We also write -» 
with w G <5*, when the sequence of transitions used is important. We say that there is a run from a 

w 

configuration c to a configuration d if c -» d and that there is a run over w (w £ 5*) if c ^> d. 

We write -»j to denote the reflexive transitive closure of 6 e U <5* U <5* , i.e. sequences of moves in which 
all stack accesses are restricted to the stack i. We also use 8 l to denote the set S e U 5 l c U <5*. 

Informally, a context is a sequence of moves in which only a single stack is accessed. Clearly, each run 
of an MPDS can be broken up into contiguous segments, where each segment forms a context. Qadeer 
and Rehof [19] in 2005, showed that by a priori bounding the number of contexts in any execution 
by a constant k (or equivalently by restricting our attention only to runs whose number of contexts is 
bounded by a constant k) one can effectively analyze multi-pushdown systems. For instance, the control 
state reachability problem becomes decidable. 

w 

Definition 4. Let c be a configuration. A run c -» d is said to be m-context if w — W1.W2.W3 . . . w m 
such that for each j with 1 < j < m, there is an ij, 1 < ij < I, such that Wj G (<5 lj )*. We say that d is 

w 

reachable from c in m context switches if there is a w and a m-context run c^> d. 

The idea of a context can be generalized to a phase by focussing only on the pop moves in the run. 
In a phase of a run of an MPDS, all the pop moves involve the same stack. Each run of an MPDS can be 
broken up into contiguous segments, wherein each segment forms a phase. The bounded-phase restriction 
places a bound k on the number of phases along any run. 

w 

Definition 5. Let c be a configuration. A run c -y> d is said to be m-phase, if ' w — Wj.jO2.JD3 . . . w m such 
that for each j with 1 < j < m, there is an ij, 1 < ij < I, such that Wj G (S tj U Up</ &<•)*• Finally, d is 

w 

reachable from c in m phases if there is a w such that c -» d is m-phase. 



3 Parity Games over MPDSs 

We now define parity games over MPDSs and subsequently consider their restriction to bounded number 
of phases. 

Definition 6. A parity game over an MPDS is a MPDS A = (Q, r,l,q ,S), along with a decomposition 
Q into two disjoint sets Qq and Q\ (i.e., Q = Qq tfcl Q\) and a a ranking function fl : Q — > [1..M]. 
The positions of such a game are the configurations of the MPDS. A position 9(71,72, ■ ■ ■ ,7;) belongs 
to player i if q belongs to Qi and its rank is fl{q). Since the starting state of the MPDS often plays no 
role in the definition of games we shall usually drop it from the definition of MPDS in the following and 
write a game G as a pair (A, Q) where A — {Qq W Qi, r, 1, 5) is an MPDS (w/o a start state) and fl is 
a ranking function. 

The usual notions of plays, strategies, winning strategies, memoryless strategies, plays consistent with 
a given strategy and so on are defined on these game graphs as they are just a subclass of parity games. 

Classical theorems such as Martin's dcterminacy theorem as well as the memoryless determinacy 
theorem hold for these games as the winning condition is a parity condition. However, since MPDSs with 
even two stacks are Turing powerful it follows that there is no hope for algorithmic solvability. 

In [21] Anil Seth showed that parity games on MPDSs with a bound on the number of phases is 
decidable. 

Definition 7. Let G = (A, Q) be a MPDS parity game where A — (Qq ttl Qi,T,l,S). The positions of 
the bounded-phase game on G are triples of the form (c, i, k) where c is a configuration of the MPDS 
A, i G {0,1,-- - ,1} is a stack identifier and k > is an integer denoting the remaining number of 
phases. The number k indicates an upper bound on the number of phases that are permitted starting at 
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the configuration c and the number i gives the stack being used in the current phase. The value i = is 
used to indicate that the current phase has not used any stack (this is the case at the beginning of the 
game). The edges of the game graph are given by (c,i,k) — > (c',i',k') if 

1. c — > e c' or c — > c c' and i' = i and k' = k 

2. c -4 d , t e 5 3 r , i = 0, k = k' and i' = j 

3. cAcJ,te 5 % r , k = k',i' = i 

4. cAc',te 5 3 r> j ^ i, k > I, k' = k - I, i' = j. 

Observe that if the game is already in a position of the form (c,i, 1) then pop moves on any stack 
other than i are no longer available. Thus, even if the original MPDS has no deadlocked configurations, 
the game graph described above might still have positions with no outgoing edges. As usual, if the game 
reaches a position with no outgoing edges then the owner of that position loses the game. 

The ranking function assigns ranks based on the local state of the MPDS 

^(<z(7i>72, • • • = n{q) 

We say that a player i wins the fc-phase game starting at a configuration c of the MPDS A, if the 
position (c, 0, k) is winning in the game graph described above. Anil Seth proved the following theorem: 

Theorem 8. (Anil Seth) The MPDS parity game with a phase bound k is decidable. That is, one can 
determine for any starting configuration c the winner from that position. 

The construction in [21] also shows that the winner's strategy can be described as a multi-pushdown 
strategy. The complexity of determining the winner is non-elementary and grows as a tower of exponen- 
tials as k increases. As our first result, in the next section, we show that this is inevitable by establishing 
a non-elemenatry lower bound for such games, there by settling an open question posed in [21]. 

A natural question then is consider weaker models (than bounded phase systems) or weaker properties 
(than parity games, which are equivalent to the modal ^(-calculus) or both. Surprisingly, we find that 
even for the weakest model of MPDSs considered, with a bound k on the number of context switches, 
and a fragment of the logic CTL, which in turn is a simple fragment of the modal /i-calculus, the model 
checking problem turns out to be non-elementary and grows as a tower whose height grows linearly in 
k. This proof is significantly more complicated and draws heavily from the techniques developed in [27] 
by Walukiewicz and in [9] by Cachat and Walukiewicz. The rest of the paper describes a proof of this 
result. 

4 A lower bound for bounded-phase parity games 

A well known result of Stockmeyer [23] shows that deciding the satisfiability of the first order logic with 
the ordering relation (FO(<)) over (N, <) (or the validity, since validity is the same as satisfiability over 
a single model) has non-elementary complexity. 

We now show that given a formula <p in FO(<) of size n and quantifier depth k (clearly k <n) there 
is an MPDS that is polynomial in size of such that the k phase game is winning for player if and 
only if the formula <p is satisfiable. 

Henceforth we assume that there are no negations in the formula (this can be ensured by pushing 
the negations down to the atomic formulas using the usual dualties and then replacing -i(a; < y) by 
(x = y) V (y < x) and so on. 

4.1 The satisfiability game 

We define a reachability game whose positions are pairs of the form (ijj,p), where ip is a formula from 
(FO(<)) and p : FV(tp) — > N is a function that assigns a natural number to each of the free variables 
of tp. If the outer most logical operator of tp is either a V quantifier or A then the position of the form 
(ip,p) belongs to player 1. Otherwise, i.e. if the outermost logical operator is either a 3 quantifier or V 
or the formula is an atomic formula then the position belongs to player 0. 

If ip is an atomic formula then it has no outgoing edges. If tp is tpi V 'ip2 or tpi Aip2 then there are edges 
from any position of the form {ip,p) to the positions (ipi,p) and (ip2,p)- If ^ — Vx-ip' (or ip = Bx.tp') 
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then there are edges from (ip, p) to all positions of the form (ip 1 , p') where p'(y) = p(y) fory^x and p' 
is also defined at x. 

The play is winning for player if it ends at a node of the form ((a; = y), p) and p{x) = p(y) or it ends 
at a node of the form {{x < y), p) and p{x) < p(y). Otherwise, player 1 wins the game. The following is 
quite easy to see. 

A winning strategy for player picks positions for the existential variables in such a way that no 
matter which positions are picked for the universal variables by the opponent the resulting quantifier-free 
formula is satisfied. It is easy to see that 

Theorem 9. Given a formula (p and a valuation p for the free variables of '<f>, <p is satisfiable/ 'valid w.r.t. 
p iff player has a winning strategy from the position (</>, p) in the satisfiability game. In particular, if <p 
is a sentence then it is satisfiable /valid iff player has a winning strategy from the position (</>, 0). 



4.2 The bounded phase game for FO(<) satisfiability 

We now show that the satisfiability game can be reformulated as a bounded-phase MPDS game. Let <p 
be the given formula. Informally, the MPDS maintains the current valuation p in its first stack and the 
formula <p in the state. In each step, the automaton strips off one operator from the formula. Stripping 
a quantifier corresponds to modifying the contents of the stack to reflect the new valuation. 

We translate a valuation p into a word as follows: If the domain of p is empty then we represent it 
using the empty word. Otherwise, it is represented by any word w over the alphabet {a} U V where V is 
the domain of p, w G V ■ ({a} U V)* ■ {-L}, every element of V occurs precisely once in w and if w = w\xw2 
for x £ V then # a W2 = p{x). 

Let S(4>) be the set of sub-formulas of the formula <p an d let V be its set of variables. We describe 
the MPDS in two parts. The first part describes the moves till we reach an atomic formula. The set of 
states of used for this purpose is S(<f>) U (5(0) x {>, <, 1*2, 2*1}) U (S(<j>) x {1*2, 2*1} x ({a} U V)). The 
transitions are defined as follows (we write Qx to stand for Vx and 3x): 



5. 

6. 

7. 

8. 

9. 
10. 
11. 
12. 



ipi Aip 2 ,ipi),(ipi A "02, -02) G 5 e . 

Qx.ip, (Qx.ip, <)), (Qx.ip, (Qx.ip, >)) G S e . Guess whether the next variable x is to be inserted 
between existing variables or to their right. 

(Qx.ip, >), ., (Qx.ip, >), l,a) G S c . Push an a to increase the possible number for x. (Observe that 
we use the symbol . to denote that there is no constraint on the top of the stack.) 

(Qx.ip, >).,ip, l,x) G S c . Mark the position for x and shift to the sub-formula. 

(Qx.ip, <), (Qx.ip, 1*2) G 5 e . Begin copying some elements from Stack 1 to Stack 2. 

(Qx.ip, 1*2), c, (Qx.ip, 1*2, c), 1) G 5 r . Read and pop a value from stack 1. 

(Qx.ip, 1*2, c), ., (Qx.ip, 1*2), 2, c) G S c . Write the read value on to stack 2. 

(Qx.ip, 1*2), ., (Qx.ip, 2*1), 1, x) G S c . Write x on stack 1 and change to copying back from Stack 2. 
(Qx.ip, 2*1), c, (Qx.ip, 2*1, c), 2) G S r . Read and pop a value from stack 2. 
(Qx.ip, 2*1, c), ., (Qx.ip, 2*1), 1, c) G S c . Write the read value on to stack 1. 
(Qx.ip, 2*1), _L, ip, 2, e) G 5 C . Copying is complete, move to the sub-formula. 



States where where the formula component either begins with a Vx or has A as the outer most 
operator belongs to player 1 and the other states belongs to player 0. 

In the second part we describe the state space starting at a state of the form (x = y) or (x < y) that 
determines the winner of the game. This involves additional states of the form {x = y, x < y, x, ya y x, y G 
V} U {T, F}. All these positions belong to player 0. The transitions (and states) are described as follows: 



1. 
2. 
3. 
4. 
5. 
6. 
7. 



x = y,a,x = y, 1) G S r . Pop till x or y are found. 
x = y, z, x = y, 1) G S r , if z {x, y}. 
x = y, x, y, 1) G 5 r , start looking for y 
x = y,y, x, 1) G S r , start looking for x 

1) G S r , skip other variables (x ^ z). 
x, a, F, 1). Player 1 should win now. 
x, x, T, 1). Player should win now. 
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8. (x < y, a, x < y, 1) G S r . Pop till you find x. 

9. (x < y, z, x < y, 1) G S r . Skip other variables (z ^ {x, y}). 

10. (x < y,y, F, 1) G <5 r . Player 1 wins. 

11. (a; < y, a;, a y , 1) G <5 r . x is seen first, make sure there is an a before the y. 

12. (a y ,z,a y , 1) £ (5 r , z / y. 

13. (a y ,a, T, 1) G <5 r . Player wins. 

14. (T,T) G <5 e . 

15. (F, F) G S e . 

It is quite easy to check that starting at a configuration of the form (x = y, 71, 72), the play enters T 
iff the valuation defined by 71 satisfies x — y and similarly for x > y. Further there is no phase change 
and every play eventually either enters T or F. The state T has parity ensuring victory for player 
and state F has parity 1. 

However, starting at a configuration with quantifiers docs not guarantee that each play is terminating. 
This because of the loop in states of the form (Qx.ip, >). However, we can make this unprofitable for the 
owner by setting the parity to be a if Qx = Vx and setting the parity to be 1 if Qx — Eta, thus forcing 
the player to exit such states. All other states are transient and hence their parity does not matter and 
can be assigned anything. 

Thus, any winning strategy for either player in this game corresponds to a winning strategy for the 
player in the satisfiability game. Translating a winning strategy in the satisfiability game to a winning 
strategy in this game is even easier. Further, observe that any run of this MPDS cannot change phases 
more than 2 times the number of quantifiers in the formula and thus it naturally defines a bounded phase 
game. All this gives us the following theorem. 

Theorem 10. For any FO(<) formula 4> of size n there is a MPDS game with at most polynomial states 
in n, for which the 2n bounded phase game is equivalent to the satisfiability game for tfi. Thus, solving 
parity games on bounded-phase MPDSs is non- elementary. 

We also wish to remark that the alphabet of the MPDS need not grow with the number of variables. 
We can encode the variables using two letters and this will increase the state space (which will stay 
polynomial). Thus, the result holds for fixed size alphabets as well. 

Remark: In order to simply our presentation in the following sections, where the constructions tend 
be much more involved, we shall often explain the role of some subset of the state space in an informal 
manner when it is clear how it can be formalized. For instance, instead of writing out the state space 
beginning at (x = y) above, we shall simply say that "there is a subroutine beginning at a state (a; = y) 
that pops the stack till it encounter x or y and then verifies that the other is also encountered before any 
a's and if so enters the state T and otherwise the state F. It is easy to see that the state space needed 
for this subroutine is constant in size and it does not make any phase (or context) changes" . 



5 MPDS, CTL and model checking 

In this section we show that model checking of bounded context-switch MPDSs w.r.t. CTL formulas has 
a non-elementary lower bound. 



5.1 The logic CTL 

The logic CTL is a simple temporal logic to describe branching time properties of systems. The syntax 
of CTL is given by 

a := P I ai Aa 2 \ | EXa | EFa | EGa | aiEUa 2 

where P is a propositional variable drawn from a suitable set. 

Models of CTL formulas are Kripke structures or LTSs. For our purposes we may think of them as 
graphs where each node is labelled by the set of propositions true at that node. The formula P is true at 
a state s if P belongs to the label of s. The boolean operators have the usual meaning. The formula EXa 
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is true at s if there is an edge to node s' and s' satisfies a. EFa is true at s if there is a reachable node 
s' where a is true. EGa asserts that there is a complete path (finite ending at a node with no outgoing 
edges or infinite) such that every state appearing in that path satisfies a. Finally, aiEUa2 is satisfied at 
s if there is a path s = s\, S2, ■ ■ ■ s n such that s„ satisfies in a 2 and Si satisfies ax for i < n. 

The model-checking problem for CTL is to determine for a given formula a and a labelled graph G and 
a node s whether s satisfies a. For a formal semantics and detailed introduction to CTL model-checking 
may be found for instance in [6, 11]. 

We may turn any MPDS into a model by taking the set of control states as the set of propositions 
with the obvious labeling - q is true only at the state q. The problem we consider is, given an MPDS M 
and a CTL formula over its states a, and a constant k, restrict its transition graph to at most k context 
switches and check if the initial configuration satisfies the formula a. We call this the bounded-context 
switch CTL model checking problem. 

Our main theorem is the following: 

Theorem 11. Fix any constant k. The problem of model checking CTL formulas of size m against 

2 P(m,n) 

MPDSs of size n with a context bound k has complexity that is at least 2 2 where the height of 

the tower is g(k), a linear function of k and P(m,n) is a polynomial in m,n. 

5.2 Stockmeyer's Nested Counters 

Our proof draws heavily from the techniques developed by L. Stockmeyer in [23] and used heavily by 
Igor Walukiewicz and Thierry Cachat [9] in showing that deciding reachability games for higher-order 
pushdown systems is non-elementary. We combine these with some ideas from a proof of Igor Walukiewicz 
showing that model checking pushdown systems against CTL formulas is EXPTIME-complete. In the rest 
of this section, we recall some of these ideas from the aforementioned papers. 

The number Tow(k) is inductively defined as follows: Tow(l) = 1 and Tow(fc) = 2 Tow ( fe ~ 1 ) for k > 1. 
The function Tow(k) grows as a tower of exponents of 2. A key idea from [9] that we will need is that of 
a level k-counter. These counters are parametrized by a natural number n. For instance when n is 1, a 
level k counter stores a value in the range to Tow(fc) — 1. In addition to storing a sequence of Tow(k — 1) 
bits needed to describe values in this range, a level /c-counter also stores the address of each of these bits 
using level k — 1 counters. 

Let Si = {ai, bi}, i > 1. We also write S l for Uj<i ^j- The letters ai and bi arc used to denote the 
and 1 values of the level i counter respectively. We are now in a position to formally define level k 
counters. 

Definition 12. ([9]) Fix an integer n. 

— A level 1-countcr is a word of length n over the alphabet S\ . Thus interpreting a\ and b\ as and 1 
respectively, the values that a 1- counter takes varies from to 2™ — 1. The largest value denoted by 
a level 1 counter is denoted MaxC n (l) is 2™ — 1. 

— A level /c-counter is a word over the alphabet S k of the form Zo^o, ' ' ' ^mC m with ai € Sk where, each 
li is a (k-1) level counter, l is the (k-1) level counter representation of the value ; l m represents the 
value MaxC n (k — 1). and Vz < m, l i+1 = li + 1. 

We shall often write k counter to mean a level k counter. Quite clearly, MaxC n (k) = 2 MaxC "( k ~ 1 ). 

5.3 Coding Counters properties using MPDSs and CTL formulae 

Our lower bound construction involves maintaining configurations of a bounded-space turing machine 
on the stacks of a multi-pushdown system. The configurations are further encoded using the nested 
counters described in the previous section. In order to achieve this we need to be able to check certain 
basic properties regarding counters and configurations stored on the stacks. In this section we address 
the properties regarding counters and then follow it in the next section with properties of configurations. 
We intend to store the counters on the stack with the Most Significant Bit (MSB) on top of stack. 
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Definition 13. 1. minval(k): Assuming that the top of the first counter contains a valid k counter 
check that it has the minimum possible k counter value. 

Formally, a configuration q{wi,w 2 ) satisfies minval(k) if Wi = Z,cxi7i, with o\ £ S k and k is a valid 
k counter implies that every digit of li is (denoting 0). 

2. maxval(k): Assuming that the top of the first counter contains a valid k counter check that it has 
the maximum possible k counter value. 

Formally, a configuration q{wi,w 2 ) satisfies maxval(k) if Wi = hai'fi, with o~\ £ S k and li is a valid 
k counter implies that every digit of U is (denoting 1). 

3. k — Eq: Assuming that the top of both the stacks contains valid k counters, check that these values 
are equal. 

Formally, a configuration q(wi,W2) satisfies k — Eq iff Wi = hai^i and w 2 = ho- 2 j 2 with U and l\ 
being a valid k counters and o\ and a 2 do not belong to S k implies that h — l[- 
4- k — Succ: Assuming that the top of both the stacks contains valid k counters, check that the value 
of on the second stack is the successor of the value on the first stack. 

Formally, a configuration q(wi, w 2 ) satisfies k — Succ iff wi = hoi-fi and w 2 = ^0272 with li,l[ valid 
k counters, o\ and o 2 do not belong to S k implies l\ is li + 1 and 
5. k — Val: Verify that the contents of the first stack begins with a valid k counter followed by some 
letter not in the alphabet S k . 

Formally, a configuration q(w\,w 2 ) satisfies k — Succ iff wi = hoi^i, h is a valid k counter and 
a^S k . 

We shall next show that each of these properties can be ensured by the addition of subroutines and 
restricting their behaviors via CTL formula in a manner to be described below. 

Implementing maxval(k) and minval(k) We first add a new state, q™ ax? that pops the first stack till 
it encounters a letter outside S k and further enters the state q err if it ever encounters the letter a^ in 
doing so. Then, if there is an internal transition from a state q to g™ aa:? then, a configuration q(w\, w 2 ), 
in which wi begins with a valid k counter satisfies maxval(k) iff it does NOT satisfy the CTL formula 
= EX(g™ aa: ' > AEFg err ). One can implement minval(k) quite similarly (using a state g™ m? instead 
of q™ ax - and replacing at by 6^.) 

Clearly this can be achieved by an automaton with a constant number of states (and 0(k) transitions 
since the alphabet depends on k) and it needs no context switches. The size of the CTL formula is a 
constant. Across all the k levels, we thus add O(k) states and make no context-switches. 

Implementing k — Eq. 

Simple Case: k = 1 

Remember that we need to check this only for configurations where both stacks contain a valid 1- 
counter, i.e. a word of length n over Si, on top. Add a subroutine, with new states, that guesses a 
number i € {0, . . . , n — 1}, pops i symbols from both the stacks and if the following symbols on the two 
stacks are different enters the state q err . 

We can do this using at most one context switch. Pop the i values from stack 1 before doing the same 
in stack 2, maintaining a counter in the state that counts the number of pops on stack 1 so that we may 
pop the same number from the other stack. The set of new states, denoted Qf has size n x 2 (since we 
also need to remember the zth letter from stack 1 while popping stack 2). Let the starting state of this 
new subroutine be q~ n 1 . Now, if there is an internal transition from a state q to q~ n 1; a configuration 
9(101, W2) is which wi and w 2 begin with valid 1-counters satisfies 1 — Eq iff it does NOT satisfy the CTL 
formula <£^ r (l) = F,X(q~ l l A EFg err ). We also record the fact that any run beginning at q~ n l makes at 
most one context switch. 

Note that this subroutine has size 0{n) and makes at most 1 context switch. The size of the associated 
CTL formula is constant. 

Induction: The contents of the two stacks are of the form Z<77 and I'a'j' and I and V are valid k counters. 
Thus I = / M axC n (k-i)CTMaxC n (k-i) • • • ^o^o and V = ^MaxCCk-i^MaxC^k-i) • • • 'o^o- Sincc tnc counters are 
well-formed it suffices to check that it is NOT the case that there is a i and j such that k = E and 
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(Tj 7^ cr'j . This ability to decouple the indices on the two stacks is made possible by the special structure 
of the nested counters and permits us to bound the number of context switches needed. 

Our subroutine begins, in a state q~ n k , by popping a number of words of the form ccr, where c G 
(jjk-iy an( ^ a ^ £ k from stack 1. This can be achieved by adding a constant number of states (but 
transitions linear in the alphabet and hence k.) It then removes a similar sequence (not necessarily of the 
same length) from stack 2, again requiring the addition of only constant number of states. Let the set of 
new states added be Q s k kw , and we may assume w.l.o.g. that a successful run of this routine terminates 
in a state q 8 ^ which is entered for the first time at this point. Suppose, there is an internal transition 
from a state q to the state qf n k , then starting at some configuration qQaj, I'a'j') a run of our subroutine 

will result in a configuration of the form q^Jf (kaik-iai-i . . . loaoaj, l'jO-jlj_ 1 a'j_ 1 . . . l' Q o-' Q a'j'). 

We add internal transitions from q sk k p to q= n fe _ 1 to verify whether U — l[. We also add an internal 
transition from q^^ another state q r k li- 

The subroutine, with state space Q r k l~[ beginning at q r k S[ checks whether Ui = a'y It first pops a 
k — 1 counter from stack 2 and then such a counter from stack 1 and enters q err if the values following 
these in the two stacks are different. Again this can be done using at most 3 states and needs only one 
context switch. 

If there is an internal transition from q to q~^ k then a configuration q(lcr^, I'cr'j') with valid k counters 
I and I' on top of the two stacks satisfies k — Eq if and only if it does NOT satisfy the CTL formula 
^(fc) = EX{q=, k A EF(q s f f A (^(k - 1) A EX{t£l= A EF 9err )))). 

The size of this subroutine, which includes the corresponding subroutine for all values less than fc, is 
bounded by the sum of the size of the corresponding subroutine for k — 1 (contributed by Q^-i) and a 
constant dependent on k (contributed by the states in Q k w U Q r k l~{)- Thus the size of Q k is 0(k 2 + n). 
Also observe that the maximum number of context switches possible is 2 plus the number of context- 
switches possible starting at q^k-i- Thus, the maximum number of context switches possible is 2 * k. 
The size of the CTL formula <P c J: r (k) is 0(k). 

Implementing k — Succ. We use once again use an observation used by Cachat-Walukiewicz. The 
binary representation of the number i + 1 can be obtained from that of i as follows: Let j be the first 
position, starting from the LSB, where a occurs in i. Just flip all the bits in the positions up to j. Thus, 
given the binary representations of two numbers i and i, in order to show that i is not i + 1, it suffices 
to either find a position between the j and the LSB where the bits are identical or a position between 
the MSB and j + 1 that are different. We call such a position as a faulty position. 

Base case: k = 1. Pop j elements from stack 1, < j < n — 1. This is our guess of the faulty position. 
Remember j in the state and pop n — 1 — j more elements to learn whether to check for equality or 
inequality w.r.t. position j in stack 2. Then do the appropriate check on stack 2 entering the state q err 
if j is indeed a faulty position. The number of states added for this subroutine is linear in n and we 
use Q+ 1 to denote this set and qf nl to denote the initial state of this subroutine. Then, a configuration 
q(laj, Vo'i) satisfies 1 - Succ iff it does NOT satisfy the CTL formula $f [(1) = EX(<7+^ A EFq err ). 

The number of states needed of 0(n 2 ) and any run starting at the state q~l nl makes at most one 
context switch. Further, the size of the CTL formula is constant. 

Induction: The contents of the two stacks are of the form Icrj and I'a'j' and / and I' are valid k counters. 
Thus I = ^MaxC„(k-i)0-MaxC(k-i) • • • ^0 and /' = l' MaxCr ,(k-i) a MaxC„(k-i) ■ • • l 'o a o- Again, the structure of the 
construction remains the same. Repeat what was done for k — 1 except that instead of counting out the 
position numbers in the two stacks use the addresses available in the nested counters. 

The subroutine begins by removing some sequence of address value pairs from both the stacks (using 
at most one context switch and needing only 3 states) as in the case of equality check. This phase ends in a 
state <?^ p+ . At this point the configuration should be of the form q sk% k + (liO-ili-\Oi-\ . . . l^a^aj, 'j°j^-i cr j-i • • • ^o <T o cr '7')- 

There are internal transitions from <z^ p+ to q"~ n k _ 1 to check if ^ = V- and to three other states 

— q k c _!_i, which we have already seen in the previous subsection, beginning a subroutine which enters 

Herr 

only if a l ^ o^-. 
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— ql^f , beginning a subroutine which enters q err only if <7j = a'j . 

— q£^\ which pops the remaining part of I from the first stack entering q eq or q neq depending on whether 
there is a m < i with a m = (i.e. 0) or not. 

Thus, I is not V + 1 if and only if the subroutine q~ n k _ 1 reports that the k = I'-, and either q\ vp \ 
enters q eq and qjfli enters q err or q k vp \ enters q neq and q r k °^ enters q err - 

Let Q k x be the set of new states added in the subroutine described above. Let qf^k be the initial state 
of this subroutine. Suppose there is an internal transition from a state q to the state qf nk - Then, any 
configuration q(laj, Z'er'7') satisfies fc — Succ if and only if it does NOT satisfy the CTL formula ^[(fc) = 
EX(q+] k A EF(<$f + A (^>f (fc - 1) A (EFq eq A EX(^ C J= A EFq err )) V (FFq neq A EX(^ c jf A EFq err ))))). 

Observe that only a constant number of states are added (the subroutine call to q~ n k _ 1 docs not 
create new states as we may use the same copy used for the equality check). Thus, the size of this 
subroutine is 0(k + n 2 ). Once again we record that the number of context switches in any run starting 
at qf nk is bounded 2 plus the number of context switches from q^ n k _ l and thus bounded 2 * fc. Finally, 
observe that the size of the CTL formula described above is O(k) since it is a constant plus the size of 
the formula r (k - 1). 

Implementing k — Val 

Base case: fc — 1. It is sufficient to check that the stack contents begin with a sequence of length n 
over S\ followed by a symbol not in S\ . Our subroutine does this and enters the state q err if this is not 
the case. Let Q\ al be the set of states and let q™\ be the initial state of this subroutine. If there is an 
internal transition from a state q to the state q™\ then, a configuration q{w\,W2) satisfies 1 — Val iff it 
does NOT satisfy the CTL formula ^(1) = EX^V^ A FFq err ). 

We note that the size of Q\ al is bounded by n and routine performs no context switches. The size of 
the CTL formula is evidently constant. 

Induction: Suppose the configuration is q(w,w'). Let w = Icr-f for some I e (S k )* , a £ S k . Further let 
ier m _i . . . l a with li e (S k (Tj e S k . We need to check that 

1. Each lj is a valid fc — 1 counter. 

2. l m is the maximum possible fc — 1 counter (i.e. with a bk-i for each digit.) 

3. lo is the minimum possible fc — 1 counter (i.e. with a a^-i for each digit.) 

4. For each j > lj-i + l = lj. 

In order to verify the first condition above, we set up a subroutine beginning at state q\~t %v which 
begins by popping a sequence belonging to ((£ k ~ 1 )* £k)* and then enters q k . The state q k has an internal 
transition to q^k-i Thus, if there is an internal transition from q to q™ l k then the configuration q(w, w') 
satisfies the first condition above iff it does NOT satisfy the CTL formula ^ l)ind {k) = FX{ql~ s k kip A 
FF(q k A ^* Q r ; (fc — 1))). Also note that the subroutine beginning at q\~ s k %v adds only a constant number 
of states and any run of this subroutine has at most as many context switches as q\nk-\- The formula 
^val ind(k) has size bounded by a constant plus the size of ^^(k — 1). 

Checking the second condition, assuming that the first condition is satisfied, corresponds to checking 
maxval(k — 1). In effect, if q has a internal transition to q™^ and q(w\,W2) is a configuration satisfying 
property 1 then it satisfies property 2 iff it does NOT satisfy the CTL formula ^ t a r ; ./ a;st (fc) = <Pm T ax (k - 1) . 
This subroutine does not involve any context-switches and adds only a constant number of states. The 
size of the formula last 

(fc) is constant. 

Again, assuming that the first condition is satisfied, checking the third condition can be achieved 
using the subroutine that begins at state p\~ k w which begins by popping a sequence belonging to 
((£ k ~ 1 )* Sk)* and then enters p k , with some lj on top of the stack. The state p k has internal transitions 
to <7™" ? (to check minval(k — 1) holds for lj ) as well as to a state q l k ast . The state q l k ast pops a sequence 
of elements of £ k ~ 1 , then pops an element of Sk and verifies that the following letter does not belong 
to S k and enters q W i n on successfully carrying out this task. In effect the run from q l k ast ends at q W i n iff 
j = 0. Thus, if a state q has an internal transition to p\~ k lp and 5(101,102) is a configuration satisfying 
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the first two conditions then it does NOT satisfy property 3 iff it satisfies the CTL formula 'P^ f irst (k) = 
EX (pl~ s k kip AEF(p k A( ( A; — 1 ) ) A EX(q l k ast AEFq win ))). Once again, this subroutine does not involve 
any context-switches and adds only a constant number of states. The size of the formula ^al,first(^) 1S 
constant. 

Finally we describe how to check the fourth property assuming the first three are satisfied. Our 
strategy is the following. 

1. First pop a sequence belongining to ((£ k ~ 1 )* Sk)* to guess a j which violates property 4, that is 

2. Copy lj to the other stack. 

3. Remove Ijcrj from the first stack. 

4. Check for satisfaction of (k — 1) — Succ. 

The tricky step is to copy lj on to second stack using few context-switches. Once again we use the power 
of combining subroutines with CTL assertions. We set up a subroutine that writes down an arbitrary 
sequence over {{E k ~ 2 )* Ek-i)* in the second stack. We then check (using the induction hypothesis) that 
it is a valid k — 1 counter and that the resultant configuration satisfies (k — 1) — Eq to simulate the effect 
of copying. 

The subroutine begins at a state r\~ s k %v which pops a sequence from ((£ k ~ 1 )* E^)* and enters a 
state q^^ 8 ■ When a run reaches this state the contents first stack would be ljOjlj-\Oj-\ . . . /o°o7- The 
subroutine beginning at q 9 k , empties the second stack if it already is not empty and then writes down 
an arbitrary sequence over {{E k ~ 2 )* Ek-i)* into the second stack and enters a state q^ichk- The state 
Qh-Lchk nas internal transitions to fc_i(2)' and to q~; n ( k _ 1 y The state Q^-Lchk a ^ so nas a internal 
transition to the state q^ k which pops the first stack till lj(jj is removed and then enters a state qfn(k-i) 
which has an internal transition to q^(k-i)- 

Assuming that the state q has an internal transition to r\~ s k lv , the configuration q(w\,W2) satisfies 
the fourth property if and only if it does NOT satisfy the following CTL property 

*52Ucc(*) = mrl-? iP A EF^-) A m^cHH A - 1)(2))) 

A(^e((fc - 1))) A EX(q^ k A EF(g+^ fe _ 1) A - 1))))))) 



The subroutine only contains a constant number of new states. The maximum number of context 

l-sk' 
in,k 
,+' 

in,(fc— 1) *lin,(k—l)' 

size of the formula ^((fc - 1))(2) and the size of $$[((k - 1)). 

Finally we combine these four part into one. The state q™ l k has internal transitions to q\n}t iP 



switches starting is r\ k kip is bounded by 2 plus the maximum of the number of context switches made 
starting from q^k-n qfn ffe-i) anc ^ ffc-i)' Further, the size of the formula above is constant plus the 



l — skip 
in,k 



and r\ n sk%v . Then, if q is any state with an internal transition to q™ l k then q(w\, W2) satisfies 



V 

the formula 

= EX(Ci A (#S2i, jnd (fc) V $% lMst (k) V $t Uirst {k) V $fa taucc (k))) 

iff W\ does not begin with a valid k counter. 

Summing the values from the four different cases, we note that the entire subroutine only adds a 
constant number of new states. Thus, across all levels k the number of states added for this case is 
bounded by 0(k + n). The maximum number of context switches is bounded by the maximum of the 
number starting at q\nk-\ ano - ^ ne number we get for case 4 above, which is indeed higher. Thus the 
maximum number of context switches is bounded by 2* k. Finally, the size of the formula is 0(2 k ), since 
there are two copies of ^^(fc — 1) in the expression for ^* a r ; (fc) (one from the first case and one from 
that last case). 

Thus in total the subroutines built to handle the counter operations in this section need only 0(k 2 + 
n 2 ) states. Further any call to any of these subroutines makes at most 2 * k context-switches and finally 
size of the CTL formulas used in asserting the counter properties is bounded by 0(2 k ). 



i.e. the start state of the subroutine that checks that at the top of stack 2, there is a valid k — 1 counter, which 
can be constructed similar to our construction for stack 1 
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5.4 Turing Machines, MPDSs and CTL formulae 

We now show a method to encode configurations of a space bounded turing machine with an input of 
size n and at most MaxC n (k) tape cells using k counters which are stored and processed using the stacks 
of multi-pushdown system. 

Let M = {Qm, J^m, sm, <5m, -Fjw) be such a turing machine. The contents of the tape of such a machine 
may be written as a string of length MaxC n (k) over the alphabet Em = U Qm, where a letter from 
Qm occurs precisely once. We enrich this string by writing down the address of each position of the 
string as a k counter (Thus this encoding looks like a k + 1 counter except that the alphabet at level 
k + 1 is Em instead of {ci/j+i, &fc+i}- We call such a configuration a k configuration of M. 

As in the case of k counters we now show that it is possible check certain properties regarding 
configurations that lie on top of the stacks of a multipushdown system. 

Definition 14. 1. k— ValConf : The top of the first stack is of the form pi^7 where p\ is a valid k 
configuration (with the right end of the tape on top) and ( Em U E k . 

2. (k, to) — InitConf : Assuming that the top of the first stack contains the encoding of some configuration 
followed by £, verify that it is the initial configuration on input w, where w is of length n. 

3. k— FinalConf : Assuming that the top of the first stack contains the encoding of some configuration 
followed by £, verify that it is a final configuration. 

4- k— EqConf : Assuming that the top of the two stacks contain valid configurations p\ and p 2 (followed 
by verify that p\ = p2 ■ 

5. k— SuccConf : Assuming that Stack 1 begins with a valid k configuration p\ followed by £ and that , 
stack 2 begins with a valid k configuration p 2 followed by £ verify that pi h M p 2 } 

6. k— ValMov : Assuming that the first stack contains two valid k configurations one below the other and 
separated by a (, (i.e. it is of the form p\C,pi(,"l), verify that p 2 \~m Pi 

We next show that each of these properties can be checked using special subroutines in combination 
with CTL formulae. 



Implementing k— ValConf Suppose the configuration is q(w, w'). Let w — laj for some I 6 (Z^UZm)*, 
cr ^ E k U Em- Further let I = l m o~ m lm-io~m-i ■ ■ ■ IqO'o with k e (E k )* , <7j G Em- We need to check that 

1. Each lj is a valid k counter. 

2. l m is the maximum possible k counter (i.e. with a bk for each digit.) 

3. lo is the minimum possible k counter (i.e. with a for each digit.) 

4. For each j > lj-i + 1 = lj. 

5. cr = C- 

6. Exactly one of the letter u m ,a m -\ ... do belongs to Qm- 

Observe that the first 4 properties are identical to those needed to check the validity of counters and 
we omit the details. Items 5 and 6 constitute a simple regular property and we again omit the details. 
Thus, we may construct a subroutine beginning at a stat tnat uses om y constant number of new 

states (and 0(k + \Em\) transitions) and which makes at most 2 * k context switches on any run and a 
CTL formula #£°™(fc), whose size is 0{2 k ) such that, if q is any state with an internal transition to q\nk 
then q{w\,W2) does NOT satisfy the formula #£°"(fc) if and only if q(wi,w 2 ) satisfies k — ValConf. 



Implementing (k,w) — InitConf, k — FinalConf, k — EqConf For configurations q(w\,w 2 ) satisfying 
k — ValConf, the first two properties are regular properties that can be checked easily and hence we omit 
the details. Checking k — EqConf can be done exactly as the equality of k counters was checked and the 
details are omitted. 

We assume the presence of subroutines beginning at q k n ^ c , qf malc anc l g™^' - , CTL formulas 
^inS(^i)' ^flnaiW an ^ ^=™(&) such that if q is any state with an internal transition to gj™ 40 or 
q finalC Qr q con,= then it doeg NQT satigfy $con ( fc) ) or <Z>™« a/ (fc) or <P c ° n {k) iff it satisfies (k, w) - InitConf 
or k — FinalConf or k — EqConf respectively. 

In the case of (fc, w) — InitConf the number of states added is O(|to|) and in all the other cases we only 
add a constant number of new states, and hence 0(k) across all the levels and any of these subroutines 
makes at most 2 * k context switches and the sizes of the formula are in 0(k + |27m|)- 

* To be precise, the configurations coded by pi and pi are related by \~m and not pi and p2 themselves. 
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Implementing k — SuccConf We assume that the TM in each move either modifies the current tape 
cell or moves (left or right). So, if C\ = x\aqbx 2 is a configuration and C\ \~m C2 then C 2 = X\defx2- 
A move changes at most 2 positions, the position where Qm appears and one of its adjacent positions. 
Thus to check if C2 is reachable from C\ by a move it suffices to check that firstly, all positions that are 
at distance 2 or more from an element of Qm are unchanged, and the segment of length three with an 
element of Qm in the middle is transformed in accordance with a move. 

Let p\ — lm&mlm-i&m-i ■ ■ ■ lo^o an d P2 = 'm^m'm-i^m-i ■ ■ ■ ^o°o- This construction is similar to 
the construction for checking k — Succ and we set up subroutines that try to check if one of the two 
properties mentioned above is violated. 

The state q™^ k begins a subroutine that first removes an element of ((E k )* Em)* from stack 1 
ensuring that the last element removed is not an element of Qm- It then enters a state q^™' s which has 
an internal transition to states q~^ and r™ 1 ^ . 

r lmk removes an element of ((E k )* Em)* from stack 2 and enters a state r^™' s . Starting with 
^IrTfc S (/°iCti ; P2C72) m the stack, a run that reaches r^™' s will result in a configuration of the form 
r^™' s (k&ik-i&i-i ■ ■ ■ lo<To> h^jh-^'j-i ■ ■ ■ 'o^o) and by construction a i+1 G Jm- r /'fc' s nas internal tran- 
sitions to the states q~ n k and to the state q k c . The subroutine is at q k c removes a fc-counter from both the 
stacks and enters the state q err if the following symbol on stack 1 is not in Qm and different from the next 
symbol on stack 2. Thus, in the configuration referred to above, the formula -^<I> c l r {k) A EX(q k c AEFq err ) 
witnesses the fact that i = j and <7j ^ a'j . 

q^*® removes a k counter and enters q w i n if the next value is not an element of Qm and its role is to 
verify that <r,_i is not an element of Qm- Thus the configuration q™™ k s (pi(ji , P2Q12) satisfies the CTL 
formula 

$t™(k) = EF(q™'° A mi7* Q A EFq win ) A EX(r^ s A EF(r^' A ^(fc) A EX(<£ C A EFq err )))) 

only if there is a position i such that <r,_i, <7j, <7j + i ^ Qm and er^ ^ a[. 

The subroutine starting at q™™ k adds only a constant number of new states, and the maximum 
number of context-switches is along the path via r™ 7 ^ 5 leading to q~ n k and is thus bounded by 2 + 2 * k. 
The size of the formula $^{k) is at most 0(k). 

To handle the three positions at distance < 1 from the position with an element of Qm we have 
a subroutine beginning at state q™™ k ■ The state q"™ k h pops a sequence from ((E k )* Em)* from stack 

1 and enters a state r™ 1 ^ ' . r™™ k removes a sequence from ((E k )* Em)* from stack 2 and enters the 

state ry r k l ' h . Starting with q-^^ipiCli-, P2C12) in the stack, a run that reaches r^™' h will result in a 

configuration of the form r^' h (liUili-\Gi-\ . . . lo(To,lj&jlj-i<7j-i ■ ■ ■ lo&'o)- r /T ,/l nas internal transitions 
to the state q= n k , q^} ov and'the state r^ ov . 

The role of 9™°" and r™ "" is to identify the letters at the 3 positions at distance < 1 from the state. 
q"iov j^ as m t erna i transitions to states q( a ,q,b) where a, b £ i~M and q £ Qm- Q( a ,q,b) pops the elements of 
stack 1 and enters the state q W i n iff the first three elements of Em it removes are a, q and b respectively. 
The behavior of 7-™°" and r^ a b ^ is similar (where a, 6, c e Em and exactly one of them belongs to Qm- 

Let V = {((a,q,b),(d,e, /) | aqb \/m def}. The configuration 5^ 7 fe' l (piC7i> P2CI2) satisfies the CTL 
formula 

= EF(r™- h A ^t r {k) A \/ (EX(g (0i ,, 6) A EFq win ) A EX(r (dA/) A EFq win ))) 

((a,q,b),(d,e,f))eV 

iff the three positions in p\ around the occurrence of the state do not entail the corresponding positions 
in p 2 through any valid move. 

The subroutine starting at q™™ k adds (Dd^M | 3 ) states, and the maximum number of context-switches 

is along the path via r™™ k leading to to q= n k and is thus bounded by 2 + 2 * k. The size of the formula 

$h°h(*0 is at most °( k + \ s m\ 6 )- 

Let be a state with internal transitions to q™^ k and q™ 1 ^ ' ■ If a state q has an internal transition 
to g™ 7 ! then the configuration g(piC7i, P2, (, 12) satisfies the CTL formula 

#T (*) = EX(«C* A (EX(<Q S A $Z\k)) V EX(qZ! k h A 
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iff pi Vm P2- 

The total number of states added therefore is bounded by 0(|I7m| 3 ), the number of context-switches 
bounded by 2 + 2 * fc and the size of the formula is bounded by 0(k + \Sm\ 6 )- 

Implementing fc— ValMov Having implemented k— EqConf and fc — SuccConf, implementing k — ValMov 
is not difficult. The idea is to copy the first configuration on to the second stack (using a similar idea 
to the one used in k — Val) by generating an arbitrary sequence, and testing that it is valid (using 
k — ValConf) and correct (using k — EqConf). Then, we remove one configuration from stack 1 and then 
we use use k — SuccConf to verify whether the copy on the second stack is indeed the reachable by a 
move from the configuration on top of the first stack. The details are as follows. 

The subroutine beginning at the state q^ n k empties the second stack and writes down an arbitrary 
sequence from (E k U S M )*( and enters q k c c ° hk . The state q a k ' 

chk has internal transitions to the states 
llnki^ an d ^nl' - - Qk'chk a ^ s0 nas an internal transition to q k con . The subroutine beginning at q k con 
removes the top of the first stack up to (and including) the first £ and enters the state q k j n which in 
turn has an internal transition to q?™ k ■ 

Then, any state q with an internal transition to <7™™ fc , a configuration q(pi(p2(ji,j2) satisfies the 
CTL formula 

*h(A) = EX(4 ifc A EFiqlfeZ A -*SS?(*0(2) A ^ c ° n {k) A EX(^ co " A EF(«^ A $r (*))))) 
iff it does not satisfy k — ValMov. 

We add only a constant number of new states here. The maximum number of context switches is 
bounded by the maximum of 1 + 2 * k (for the path through q™ l k (2)), 1 + 2 * k (for the path through 
Qi^k~) ano - 2 + 2 + 2 * fc for the path through q"™ k - Thus the maximum number of context switches is 
bounded by 4 + 2 * fc. The size of the formula <2> h (fc) is 0(2 k + \S M \ 6 )- 

Thus overall, across the subroutines for the counters and configurations we have added only a 0(n 2 + 
fc 2 + \Em\ 3 ) states, make at most 4 + 2 * fc context-switches in any run and any formula used is bounded 
in size by 0(2 fe + 

5.5 From Space Bounded TMs to Model-Checking MPDSs 

In this section we utilize the constructions of the previous two sections to show that for any given TM 
M working nondeterministic space Tow(fc) and a input word w of length n, we can construct a MPDS 
A whose state space is polynomial in n, fc and the size of M, a CTL formula a, both whose size is 
polynomial in the size of M, w and exponential in the size of fc, such that the MPDS A makes at most 
2 * fc + 5 context switches in any run and A satisfies the formula a iff the TM has an accepting run on 
the word w. Thus, model-checking of MPDSs under the bounded context-switch restriction against CTL 
formulas has a non-elementary lower-bound. 

The idea is quite simple. The MPDS writes down a sequence of £ separated strings that could each 
potentially be a fc configuration. We use the techniques of the previous section to verify that each such 
string is a valid fc configuration and that it can be reached by a move from the previously written 
configuration. We also check that the first configuration it writes down is the initial configuration on w 
and that it eventually writes a final configuration. Clearly, all of this is possible only if the given Turing 
machine has an accepting run on w. 

The MPDS we construct works as follows. It starts a state q aC c(k) with just the _L in both stacks. 
The state q acc (k) begins a subroutine which writes down a sequence in ((S k U Em)* and then enters 
a state q l ^ k tC (k,w). This state ql™ k tC (k,w) has internal transitions to the states q\^ k and q k n ^ c ■ The 
state q l ^ k tc : {k 7 ) also has an internal transition to a state q guess c{k)- The state q gue ssc{k) begins a routine 
which writes down a sequence in ((S k U Um)* and enters the state q™ k ve (fc) ■ The state q™ k ve (k) has an 
internal transition to q™^ , q^ n _ k , ql malc and to q gU essc(k) as well. 

This system satisfies the CTL formula 

$™ c (k, w) = q acc (k) A EF((g«» tc (fc, w) A (fc, w))A 

(ter(fc) => (*) A -*h(fc))) EU (q2T(k) A ^{k) A ^> h (fc) A ^ c f Z al (k)))) 

§ Once again, a variant that checks that the value in Stack 2, instead of Stack 1, is a valid k configuration 
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iff the turing machine has an accepting run. 

The number of states added is constant (and 0(k + \£m\) transitions are added). The maximum 
number of context-switches is through q^ l ° k ve {k) and then via q^ n k and is bounded by 1 + 4 + 2 * k. The 
size of the CTL formula above is bounded by 0(2 k + \Sm\ 6 )- 

Eliminating EU We now show that actually we can restrict ourselves to the fragment of CTL consisting 
of EX and EF and still obtain the same lowcrbound. For this we modify the construction described above 
slightly. The automaton first writes down an entire sequence of potential configurations and then checks 
that it is a valid accepting run, instead of doing so as each configuration is generated. The details are as 
follows. 

Now, the MPDS writes down a sequence of words from ((S h U Sm)* on the stack (starting at state 
Qacc{k)) and then enters a state q r k un ■ The state q™ n has an internal transitions to q™ l k '> q[ malc , q^ n k 
and q k emC ■ The state q k emC repeatedly removes ane element of (S k U Sm)*C an d re-enters itself. The 
state q r k emC also has internal transitions to q\^ , Qi n ,k'1k^w C '> ll + an d ll + ■ 

The state q\ + attempt to remove a sequence form (S k U Um)) + ( and enters the state q w i n if it 
succeeds. The state q\ + does the same if it succeeds in removing two such sequences. Then the MPDS 
satisfies the following CTL formula &^ c (k, w) iff the TM accepts the word w. 

^ cc (k,w) = q acc (k) A EF( 

{q run A ^co ?(A) ^ h(fc) A ^con ai{k)) 

A -,EF(q r k emC A EX(ql+ A EFq win ) A (fc)) 
A -EF(^ emC A EX(q 2 + A EFq wm ) A <P h (k)) 

A -^EF(q r k emC A EX(ql + A EFq win ) A EX(q 2 + A -^EFq win ) A $ c ™ t (k, w)) 

) 

This construction adds only a constant number of new states (and 0(k + \Sm\) transitions), makes 
at most 4 + 2 * k context switches and the size of the formula $^ c (fc, w) is C(|w| + \Em\ + 2 fe ). 

In summary, given a Turing machine M and a word w we can construct a MPDS A with state space 
0(\w\ + \£m\ 3 + k) which makes at most 4 + 2 * k context switches and a formula a, whose size is 

\w\ 

0(\w\ + \£m\ 6 + 2 fe ), such that A satisfies a iff M accepts w in space 2 2 where the height of the 
tower is k. 

Observation : It is also possible reduce Alternating Turing Machines instead of Nondeterministic ma- 
chines, but the additional work does not buy us much. 

ASPACE(Tow{k/2)) C DTIME(Tow(k/2+l)) C DSPACE(Tow(k/2+l)) C NSPACE(Tow(k/2+l)) 
So, we just get to increase the height of the tower by 1. 
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